Proposal on new EU data protection presented
The European Commission published on the 25th January a broad legislative package aimed at safeguarding personal data across the EU. The set of new rules proposed by Viviane Reding, Justice and fundamental rights commissioner is expected to strengthen citizens' rights and could have a far-reaching impact on the way online data are collected and processed, if approved by Parliament and member states.
If approved, the new rules will give citizens the "right to be forgotten", enabling them to delete personal information that they no longer want to share with banks, online booking websites or social media. There will also be an expiration date on the use of such information by those holding the data.
Currently personal information is often given away and even traded without people knowing it. A major element of the proposal therefore foresees that EU citizens will have to give their “explicit” consent before their data can be used.
Defining personal data?
What remains unclear, though, is exactly what kind of data can be considered as personal information under the new rules. For example, can internet 'cookies' be considered as personal data? A Commission memo describes personal data as "any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address."
The definition is not only significant for online privacy, it could also have an impact on how smoothly the internet works. All kinds of data are routinely exchanged among computers without users' being aware of it. If the requirement for prior consent becomes too systematic, citizens' privacy will certainly be better protected but their web surfing experience might also be seriously affected, critics warn.
However, Commission officials offer assurances that consent will have to be given only once, and will not affect the way people use the internet.
Improvements for business
Clear data privacy rules should offer predictability for businesses as EU-wide harmonisation is expected to help companies operate across borders with a single set of regulations. This could represent savings for businesses at around €2.3 billion a year. A number of exceptions are foreseen for small businesses, diminishing the bureaucratic burden related to data protection requirements.
The proposal also strengthens the role of national data protection authorities by giving them new powers and turning them into a single reference point at the national level for companies and citizens, “even when their data is processed by a company based outside the EU,” the Commission says.
Sanctions foreseen
A key point relates to sanctions for data breaches or improper use of personal data, considered key to improve citizen confidence in the internet. Consumers will shy away from buying online if they are uncertain about the use made of their electronic data. Therefore, straightforward sanctions for those who “intentionally or negligently” suffer data breaches or process data without the explicit consent of users are clearly stated in the new proposed rules.
Although the original proposal made by Reding included fines of up to 5% of the turnover of a company, it seems that milder sanctions were retained, with penalties reaching up to €1 million or up to 2% of the global annual turnover of a company in the most serious cases.
Notification of data breaches
Finally the rules also foresee how and when companies should notify users of data breaches. with a clause reading "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority.”